Hello,
Here's some options I've set in my apache configuration and for my setup roundcube does show messages.
Hth Dave.
Header always set X-Frame-Options SAMEORIGIN
# Prevent Cross Site Scripting (XSS) Header set X-XSS-Protection "1; mode=block"
# Prevent Mime Types Security risks Header always set X-Content-Type-Options nosniff
# Content-Security-Policy Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'"
# Cross-domain-policy Header set X-Permitted-Cross-Domain-Policies "none"
# Referer policy Header always set Referrer-Policy "strict-origin"
# expect-ct policy Header always set Expect-CT 'enforce, max-age=43200'
On 10/9/19, roundcube--lists@thomas.freit.ag roundcube--lists@thomas.freit.ag wrote:
Hi James,
my guess is, that the header configured in your .htaccess file is not overriding the one set in http.conf. You can easily check this with Firefox or Chrome dev tools in the network tab. Unfortunately Apache httpd documentation (@ https://httpd.apache.org/docs/current/mod/mod_headers.html) does not.
On 09.10.19 09:38, James Brown wrote:
Still can’t get this to work.
I’m using the .htaccess file in my roundcube/ root.
Ie to override the CSP headers in http.conf (for all that Apache serves).
No matter what I put I still get no messages in the mailboxes.
Javascript Console shows:
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. roundcube:57
In apache_root/roundcube/.htaccess I have:
Header set Content-Security-Policy "default-src ''unsafe-eval'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';referrer no-referrer"
I would suggest to use "Header always set ..." or "Header unset Content-Security-Policy" before setting it with a new value.
httpd.conf has:
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; report-uri https://bordo.report-uri.com/r/d/csp/wizard"
My CSP header value is "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline' 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; report-uri....". Works for latest 1.3.x and 1.4.x-RC, with httpd 2.4.38 "header set" in my .htaccess is sufficient to set it.
hth, Thomas _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users